Elsevier

Digital Investigation

Volume 18, Supplement, 7 August 2016, Pages S76-S86
Digital Investigation

DFRWS USA 2016 — Proceedings of the 16th Annual USA Digital Forensics Research Conference
Time is on my side: Steganography in filesystem metadata

https://doi.org/10.1016/j.diin.2016.04.010Get rights and content
Under a Creative Commons license
open access

Abstract

We propose and explore the applicability of file timestamps as a steganographic channel. We identify an information gap between storage and usage of timestamps in modern operating systems that use high-precision timers. Building on this, we describe a layered design of a steganographic system that offers stealthiness, robustness, and wide applicability. The proposed design is evaluated through theoretical, evidence-based, and experimental analysis for the case of NTFS using datasets comprising millions of files. We report a proof-of-concept implementation and confirm that the embedded information is indistinguishable from that of a normal filesystem use. Finally, we discuss the digital forensics analysis implications of this new information-hiding technique.

Keywords

Digital forensics
Data hiding
Steganography
Storage forensics
File system forensics
Real-world data corpus

Cited by (0)